Need help of a NETWORK ADMIN - tech question but trust me, MAJOR political import!!!

Folks, I've got a computer that's trying (and failing) to make contact with *something* at an IP address of 192.168.2.4 - I can't ping it, I can't make any contact with it so far. I need to know who owns that number (or subnet) and swear to God, I need it *STAT*. I'm fairly geeky but I haven't had to deal with this.

Tried pinging 192.168.2.0, 192.168.2.1, several others, nothing. This is WAY hot, can't say what it's about yet. HELP!?

If you enjoyed reading about "Need help of a NETWORK ADMIN - tech question but trust me, MAJOR political import!!!" here in TheHighRoad.org archive, you'll LOVE our community. Come join TheHighRoad.org today for the full version!

Keaner

December 6, 2004, 02:53 PM

192.168 is a local subnet. It is another computer on your network that is pinging/being pinged.

Most routers assign a 192.168.0.1 to themselves, and assign numbers after that to following machines. If you have a wireless router, it may be time to start MAC address filtering!

ocabj

December 6, 2004, 02:53 PM

192.168.*.* is a private subnet. No one owns it. It's reserved for private use and is not allocated for Internet use.

ocabj

December 6, 2004, 02:56 PM

BTW: Here's the ranges for private use IP address.

Class A: 10.0.0.0 - 10.255.255.255
(Subnet mask: 255.0.0.0)

Class B: 172.16.0.0 - 172.31.255.255
(Subnet mask: 255.255.0.0)

Class C: 192.168.0.0 - 192.168.255.255
(Subnet mask: 255.255.255.0)

As far as why the computer is trying to contact that specific IP address, you may want to check it for viruses/worms/trojans/spyware.

Keaner

December 6, 2004, 03:01 PM

Yep, everything OcabJ said was correct.

You most definitely want to run a virus scan, and a spybot cleaner (spybot search and destroy, adaware, spysweeper, etc). All are available for free, or cheaply online. (Spybot and Adaware are free, security.kolla.de, and lavasoft.com)

shermacman

December 6, 2004, 03:02 PM

Ditto the above. If you have one point of access to the internet like a cable modem or DSL line, you get one public address. If you want a bunch of computers and printers in your house or office to share that one point of access then they need to be on a private sub-net like 192.168.xxx.xxx. They are called are 'non-routable' because they don't work out in the wild. So the good news is that it can't be someone outside of your point of access, it has to be in-house. In other words...you are probably pinging yourself! Of course if you have an unsecured wireless router or if the Black Box Boys have physically connected into your wiring, then all bets are off.

why_me

December 6, 2004, 03:05 PM

do you have weps enabled?
some body war chalked your router and is trying to discover other nodes on your network

jnojr

December 6, 2004, 03:06 PM

Jim - the more important question is what is trying to access that IP? Sounds like you may have some kind of spyware trying to phone home. Assuming you use Windows, try netstat. Handle http://www.sysinternals.com/ntw2k/freeware/handle.shtml may help, too.

I'm on AIM and YIM with the same username. Feel free to IM me if you want..

Note that this box has a bank of modems attached that are only turned on during a two-hour window after polls close. Is this thing trying to make contact with the outside world over those modems, which is mebbe what the DHCP is all about?

Is "0001A8C00100502C070C07" an Ethernet address maybe?

mtnbkr

December 6, 2004, 03:10 PM

Does this computer use VPN or something similar to connect to a remote network (teleworker's machine, laptop, etc)? If so, the remote network might house 192.168.*.*.

What port is the computer trying to use when contacting that host? Knowing the port might help to determine if this is in any way legitimate since many malwares use odd ports.

Chris

taliv

December 6, 2004, 03:19 PM

nothing unusual is happening here. i'm not going to go into a discourse on networking, but your diebold machine is simply asking for an IP address that's outside the range configured on your DHCP server. odds are, you recently moved the diebold machine from a network where IT WAS 192.168.2.4, only, it doesn't know it got moved, so it's still asking for its old address. DHCP is sending a (Negative ACKnowledgement) which says it can't have that ip address anymore.

sorry to disappoint,

Jim March

December 6, 2004, 03:21 PM

OK. The only LEGIT connection to the outside world a GEMS/Diebold box is supposed to make are incoming modem connections via a Digiboard and modem bank. The thing is supposed to take in data from voting terminals (touchscreen, optical scan, doesn't matter) right after the polls close so that "early results" can be fed to the press. Then people hand-carry the memory cards (PCMCIA, basically "electronic ballot boxes") in from the field and they upload those to the GEMS tabulator via PCs connected to Ethernet straight to the GEMS box.

I can't see any legit reason for the central box to initiate a DHPC connection to anything else, across modem or Ethernet.

Am I missing any legit reason for these errors?

OR: is it just waiting for those modems to go live, erroring out once in a while in the meantime, so it can initiate an outside connection?

If the latter, that is WAY bad news!!!

jnojr

December 6, 2004, 03:23 PM

You'll get the same results from whois 10.1.1.1 or 172.20.1.1

If you're interested in who owns that machine, you'll need to know more about the network the machine is supposed to be connecting to. I could have a 192.168.2.4 on my network, and you could have one on yours. Heck, everybody could use 192.168.2.4... that address space is non-routable on a public network. It's only valid across a private net.

Jim March

December 6, 2004, 03:30 PM

OK. Wait. Break it down so I'm sure I know what's up: is this thing trying to make an Ethernet connection? Or a modem connection? Or it's just bad settings flopping around?

Help me out here. Why is it doing this?

BrokenPaw

December 6, 2004, 03:33 PM

Jim,

The 192.168.x.x series of addresses are (as several posted above) reserved for private use. What that means in layman's terms is this:

If you have a private network in your home or business, you should make use of addresses in one of the private reserved blocks (192.168.x.x, 172.16.x.x, or 10.x.x.x), so that, if at a later time, your network becomes attached to the internet, your internal packets will not be inadvertently propagated to other hosts on the internet.

The routers at ISPs are smart enough to know that packets to or from those addresses should not be forwarded.

Taliv's correct; the box used to live on a network where its address was 192.168.2.4, and that address was issued by a DHCP server. Because DHCP-issued addresses are supposed to survive reboots, and expire after a specified time interval, the box is attempting to re-acquire the "lease" it held on the address.

"0001A8C00100502C070C07" is the physical address id of the network card in the box. It's called the MAC (Media Access Controller) address, and is unique to the individual network adapter card.

Interestingly, MAC addresses are traceable to the manufacturer of the network card itself. In this case:

It sounds like something is requesting it's IP of 192.168.2.4 from the Diebold DHCP server. Check your remote access log, and look around at the PCs (if there aren't too many) and see if any are maintaining that IP address via IPCONFIG. Another way of doing it would be to give another machine an IP of 192.168.2.5 and try pinging .4 from it.

0001A8C00100502C070C07 is too long for a MAC address, must be a machine name of some sort.

Is DHCP service running on the Diebold machine? Probably is, in order to hand out addresses to all the modem connections and PCs. Sounds like a misconfigured client to me, if an unauthorized machine was trying to inject itself into the LAN it wouldn't have an existing DHCP address reserved already.

Jim March

December 6, 2004, 03:33 PM

Let's be clear: It's not supposed to be connected to a network - not outside of a few PCs uploading memory cards, and that bank of modems (which dial IN, never out, according to the manuals.

The Ethernet to a few local machines is never supposed to be gatewayed anywhere else. And that's always the way it's supposed to be - this is a central vote tabulator for God's sake.

Under THOSE circumstances, is this normal?

RevDisk

December 6, 2004, 03:33 PM

Jim,

There is no way a "modem only" box is supposed to be accessing ethernet. The real question is what network it was connected to. Are these Diebold machines pre-programmed at a central facility via ethernet?

You could try asking Diebold for their internal network topography, but I doubt they'd give it to you. Even if they did, the numbers change rather often in DCHP. That's the point of DCHP. The IP number is not the important point when you're dealing with private networks. It's learning what private network. That number doesn't connect to the Internet, so you'd never see it from the outside.

If it's really sensitive, Jim, find a local geek and show it to them. Anything on the Internet is as public as a billboard in Times Square.

Jim March

December 6, 2004, 03:37 PM

Brokenpaw: nothing else on the small Ethernet segment it might properly be on would possibly be a DHCP server. This machine (with this error) would thus be a DHCP server.

Would this error be normal for a DHCP server? Or is this thing trying to become a *client*?

taliv

December 6, 2004, 03:40 PM

click start, run and type "cmd" and hit enter.

now type "ipconfig /all"

look for the MAC address you listed above. whatever interface that's associated with is what's trying to get an IP address. my guess is it's the built-in ethernet interface on a SOYO motherboard.

the thing though, is that it won't attempt to contact the DHCP server unless there is a cable plugged in and the link is lit. if you don't know of a legit reason for the diebold machine to contact anything, then why did you plug a cable into it?

mtnbkr

December 6, 2004, 03:41 PM

What port is this thing trying to use? The port will tell you more than the IP address (many ports are commonly used for specific services such as port 80 for Http).

Chris

Jim March

December 6, 2004, 03:42 PM

There is no way a "modem only" box is supposed to be accessing ethernet. The real question is what network it was connected to. Are these Diebold machines pre-programmed at a central facility via ethernet?

Hmmmm. Possible. But this box has been in this county for...*years*. Over 4. If it was making a client connection back when it was in Diebold's shop, then was shipped to this county, would it still be "screaming" after all this time!?

pbhome71

December 6, 2004, 03:45 PM

Jim,

You should get a copy of EtheReal. It will sniff the wire and decode the packet.

It is a freeware from www.ethereal.com. When you get the trace, may be we can do more.

-Pat

Jim March

December 6, 2004, 03:46 PM

Sigh. We don't have the ability to run commands. All we got is this damned log.

RevDisk

December 6, 2004, 03:46 PM

Under THOSE circumstances, is this normal?

If a computer is supposed to be rigged for modem only, no. There is no reason for any IP settings to exist, let alone specific IP addresses. If for some reason some software needed a local ethernet loopback, it'd use 127.0.0.1.

That said, there are reasons why someone might have misconfigured IP addresses. But it doesn't sound like a voting only machine that hypothetically modem only should have it. I'd vote that something is not normal.

mtnbkr

December 6, 2004, 03:46 PM

Ok, let's try this again...

Get the port it's trying to connect to. This can be tracked to a specific application if it's legitimate. Even if it's not one of the common ports, Diebold can tell you if it's a port used by their software. Or, if it's malware, the port usage may be documented somewhere on the Internet.

Chris

Mute

December 6, 2004, 03:47 PM

Are these computers that are supposed to be networked using static IP's? And is the computer that's trying to make the connection a server or a client for any specific purpose? This could very well be just the computer trying to do its job properly. Have to know more.

jnojr

December 6, 2004, 03:47 PM

Well, first, it could be trying to access 192.168.2.4 via a modem connection. Check the routing table ( "route print" ) when the machine is not connected, and when it is. That might give some more insight.

It's also possible this is something left over from development time. Maybe the programmer had a dev box reporting to 192.168.2.4, and when the code was buttoned up, that bit was left in. Pretty sloppy, if you ask me, but possible. Unless there's some element that's under Diebolds control (like, if when the modem is connected, all of a sudden 192.168.2.4 is part of a valid subnet), I doubt this is something nefarious.

Is the local network and modem connection under county control, or Diebolds?

mtnbkr

December 6, 2004, 03:48 PM

Sigh. We don't have the ability to run commands

Plug it into a hub (not a switch, but a hub), plug a laptop running Ethereal or any other sniffer into the same hub and let the chatty diebold box do it's thing for a few minutes or hours. Post the ethereal results here.

Chris

BrokenPaw

December 6, 2004, 03:49 PM

Jim,

Chances are that after 4 years the box would not be trying to renew a lease. Typical values for lease-duration are: 1 hour, 1 day, or forever. It's possible that the box was, in fact, issued a permanent-lease address back when it lived at Diebold, and is trying to renew that lease now that you've thoughtfully given it an ethernet cable to talk to.

I say it's unlikely because Diebold would have been silly to set up permanent address-leases on a network that they were plugging boxes into temporarily; permanent DHSP leases are for things like servers, that people need to be able to reach reliably at a given IP address.

-BP

jnojr

December 6, 2004, 03:58 PM

Jim said he's looking at logs, not working at the actual machine.

Jim - Can you paste some sample log lines involving 192.168.2.4 into this thread? We might be able to see something that way.

Jim March

December 6, 2004, 04:01 PM

Arright.

Go here:

http://thehighroad.org/showthread.php?t=114603

Vote.

Give me some guidelines as to whether or not to pursue this further. I won't be able to discuss HOW I'll do it, but I *can* do it.

mtnbkr

December 6, 2004, 04:02 PM

Ignore my previous ramblings about ports. I completely missed Jim's post with the specific NT Log entry regarding DHCP NACK. I was wondering why everyone was so stuck on the DHCP issue.

:rolleyes:

Chris

Jim March

December 6, 2004, 04:04 PM

I'll get Bev to EMail me the logs. Good idea.

jnojr

December 6, 2004, 04:05 PM

If a computer is supposed to be rigged for modem only, no. There is no reason for any IP settings to exist, let alone specific IP addresses.

This isn't true. A modem connection is Layer 1, like twisted pair. With modems, the Layer 2 connectivity is usually PPP, sometimes SLIP. With twisted pair, you're talking Ethernet, or maybe token ring, FDDI, WiFi, etc.. But both connections need a Layer 3 as well. That's usually, these days, IP. It could be IPX, like in a Novell environment. But there has to be some kind of end-to-end addressing.

mtnbkr

December 6, 2004, 04:06 PM

Then people hand-carry the memory cards (PCMCIA, basically "electronic ballot boxes") in from the field and they upload those to the GEMS tabulator via PCs connected to Ethernet straight to the GEMS box.

Could the GEMS box have DHCP services running for the purpose of providing an address to the PC you mention? Was that PC connected when the log entry was generated?

Chris

Jim March

December 6, 2004, 04:22 PM

Could the GEMS box have DHCP services running for the purpose of providing an address to the PC you mention?

Maybe.

Was that PC connected when the log entry was generated?

NO. Those are only connected for very short time periods, to download ballot image data to terminals pre-election, and a smaller number of terminals as memory card upload stations immedately post-election. Any other time, the sucker is supposed to be standalone. And it's *never* supposed to be cross-wired to the county Intranet or esp. not gatewayed to the wider Internet.

Look, if we just run GEMS itself on a PC box of our own with a software firewall like Zonealarm, it'll report an attempt to make a net connection of some sort. We don't KNOW what the hell it's been doing, but we've referred to this as the "ET Phone Home" problem.

Hell, download the code for yourself:

http://www.equalccw.com/dieboldtestnotes.html

Maybe Diebold techs have been plugging small PCs into the wire without anybody knowing. Maybe it's trying to initiate modem calls. Maybe it's checking to see if the box WAS cross-wired to the county LAN so it can establish a session outwards through the firewall to God knows where. We know a Diebold tech in Alameda County gave the modem pool fixed IP addys of 166.107.248.210 to 220 (see Rob Chen memo at the above link). Now go to:

http://www.acgov.org

Now go ping www.acgov.org - I just got 166.107.72.47 - does it look to y'all like Rob Chen made the modem pool IPs compatible with the county LAN subnet?!? Gee, I wonder why he'd do THAT?

We haven't been able to hack at a real box. Just getting these damned logs was a breakthrough.

mtnbkr

December 6, 2004, 04:38 PM

NO. Those are only connected for very short time periods

That entry is a response to a DHCP request and wouldn't happen if there was nothing to request an address. DHCP isn't generally routed (can be done, but not normally and certainly not over the Internet), so it would have to be on the same network as the GEMS box. I've run DHCP services before and I've never seen a NACK without there being a requesting system online actively requesting the IP address.

Chris

taliv

December 6, 2004, 04:41 PM

jim, were the logs on this server taken recently? at the time the DHCP log entry occured, did you have any network cables physically connected? (ethernet, phone, wireless, etc)

Jim March

December 6, 2004, 04:43 PM

That entry is a response to a DHCP request and wouldn't happen if there was nothing to request an address. DHCP isn't generally routed (can be done, but not normally and certainly not over the Internet), so it would have to be on the same network as the GEMS box. I've run DHCP services before and I've never seen a NACK without there being a requesting system online actively requesting the IP address.

>What!?<

Wait. These things are supposed to be standalone 'cept for very specific times. That's in the manuals.

Now, if it was just one county where this is happening, then OK, they've left some gear and wires still up.

But...it's ALL of 'em. Hard to believe every county would screw up in that fashion!?

:confused:

Mute

December 6, 2004, 04:53 PM

The fact that it's trying to contact a private IP instead of a public IP suggests that this is unlikely to be something nefarious.

jnojr

December 6, 2004, 04:57 PM

Are the computers with the Diebold software "black boxes" that the county receives, plugs in, and then just watches? Or does the county install the software on computers they provide? If the later, it's possible that someone was working with an image that wasn't completely "clean".

jnojr

December 6, 2004, 05:01 PM

The fact that it's trying to contact a private IP instead of a public IP suggests that this is unlikely to be something nefarious.

That all depends on exactly how these boxes communicate. If you have a "closed system" where the modems dial in to a number that leads directly to your "master" server, and Diebold isn't involved at all, then yeah, it wouldn't be useful to open sockets to weird IP addresses. But, if there is a possibility for Diebold to be involved... if the modems connect to telephone lines that have any ability to dial out into the world, or if the machine they call into is something that Diebold has some form of control over, then there could be something dirty going on.

I really think the only way to tell would be to get a packet sniffer on the same segment as one of these machines while it's doing its' thing. I'm not sure if Knoppix comes with Ethereal, but it would sure as heck come with tcpdump. Either could do the trick.

Jim March

December 6, 2004, 05:16 PM

Are the computers with the Diebold software "black boxes" that the county receives, plugs in, and then just watches? Or does the county install the software on computers they provide? If the later, it's possible that someone was working with an image that wasn't completely "clean".

"Black Boxes" all right. It's WAY illegal to load other stuff on there. Every bit of code has to be at least accounted for. If it's "Commercial Off The Shelf" it doesn't need source code review but it still gets listed.

Not to say it hasn't been done. Half the King County WA elections management was fired for loading MS-Access on and doing most of their ballot development work in that instead of GEMS. This was...Sept. '03 I think. The Seattle Times wrote it up. One of the Diebold internal EMails talked about Access being a handy "hack tool" on the database, and mentioned "King County is famous for it". Somebody with employee access released all 15,000 EMails (summer of '03, to Wired magazine), somebody else checked King County based on that...whooops.

Access ain't an FEC-approved election program. GEMS is (which has an Access back-end runtime, but not the full dang version).

This stuff is supposed to be a *very* carefully controlled environment...not a general PC you surf the web on :scrutiny:. Which doesn't mean security was always *followed* y'understand. But in this case, the SAME weird network errors appear on more or less all the boxes, or at least close variants. So...whatever it is, either a misconfiguration screwup OR an incompetently set up back door, it's a good bet Diebold did it, not the counties.

:scrutiny:

Flyboy

December 6, 2004, 05:24 PM

Jim:

(posted in the other thread as well)

I can probably help you track this down, but I'll need more information from you. I'm a sysadmin/netadmin by trade (radiology networking), so I'm reasonably familiar with this sort of stuff. If you're interested, PM me, and I'll give you my phone number, or we'll figure something out so I can talk to you a little more directly; it'll be a lot easier to troubleshoot semi-interactively.

Just as an initial impression, I'm going to guess that this thing is trying to get a DHCP lease because it was originally configured over the network (yes, four years ago, when it was built), and they just never removed the card or disabled it in Windows. Odds are, it's just carelessness (never ascribe to malice that which can be adequately explained by stupidity), but I'll help you figure it out if you like.

jnojr

December 6, 2004, 05:38 PM

But in this case, the SAME weird network errors appear on more or less all the boxes, or at least close variants. So...whatever it is, either a misconfiguration screwup OR an incompetently set up back door, it's a good bet Diebold did it, not the counties.

I'm leaning towards my "testing" theory... this couldn't be any kind of "back door" without properly routing traffic to 192.168.2.4, and making sure that there's going to be some sort of network connection available.

Database

December 6, 2004, 06:25 PM

Rehashing:

This box has two normal functions. Accepting modem connections for receipt of early votes and local network activity for uploading of final vote results from pcmcia cards via a small number of PC on the local network.

As a result, I wouldn't be suprised if the machine were trying to get it network config via DHCP even while its not connected to a LAN, thus the error message. Its possible that the box provides DHCP services, but you wouldn't expect DHCP requests when the box is not connected to a network. If you are connecting it to you own LAN for testing, then you might see the latter.

If this is the only evidence of the box "trying to make a network connection" then I wouldn't be suspicious.

lee n. field

December 6, 2004, 07:07 PM

Folks, I've got a computer that's trying (and failing) to make contact with *something* at an IP address of 192.168.2.4 - I can't ping it, I can't make any contact with it so far. I need to know who owns that number (or subnet) and swear to God, I need it *STAT*. I'm fairly geeky but I haven't had to deal with this.

(Haven't read all the thread yet, but I'll chime in anyway.)

If whatever it is is firewalled, you might not be able to ping it. Get nmap (http://www.insecure.org), run it on that address, and see if any service ports show up as open. Run it with the OS detection option for further clues.

Gunstar1

December 6, 2004, 07:12 PM

Even if the modem answers incoming calls only, the caller has to have a network address in the same range as the answering modem for them to talk, Assuming TCP-IP is the only network client installed.

In that case either the ip address is manually assigned or DHCP assigned. Depending on the system and settings, if the connection is not present it can cause log messages until the connection is established.

So the log can say cannot connect to ip address repeatedly until a modem connection is made. At which time the address is found, the data is transferred, and the connection is dropped. Then the log will start saying it cannot connect again, until the next modem connection.

I would have to see more info to know if this could be emulated on an outside PC dialing into the black box or other nefairous situations. The black box that is accepting incoming only, is either never connected to an outside phone line or never connected to a router, only then is it the least likely for someone to mess with it. At that point only physical presense in the building might someone be able to mess with them.

If outside lines are connected it might be possible to emulate a caller and fool the black box, or the router could be programed to translate a public IP address into the private one and the box could be accessed from outside of the network.

taliv

December 6, 2004, 08:07 PM

listen,

in order to get that message, two things have to happen. first, your box MUST have an active network interface that you inserted a cable into. (not the modem)

second, you MUST have an active DHCP server on that network that is configured with a different scope than your box was recently using.

the only suspicious thing here is what you guys are doing with this box. if I were the system administrator responsible for this box, and thought it was misbehaving, the first thing i would do would be to inform the state or diebold. the last thing i would do is ask a gun forum on the internet, disclosing ip addresses and configuration in the process. seems like doing anything else would be appreciably shy of career enhancing.

jnojr

December 6, 2004, 08:45 PM

All of this talk about DHCP is highly speculative. DHCP requests and ACKs are ARP packets. There are no IP addresses, since you can't talk to an IP address until you have an IP address.

Further, since Jim is dealing with logs, and we know GEMS is based on Access, that makes this a Windows issue. Windows logs for s#!* He's almost certainly looking at GEMS-specific logs, which would be traffic to/from the database and maybe among program modules, stuff far above Layers 2, 3, or 4.

Until / unless we can actually see a few lines of the logs involving this mystery address, further speculation just isn't going to be useful.

taliv

December 6, 2004, 10:11 PM

there's nothing speculative about it, and DHCP are broadcasts, but not at all the same thing as ARP.

Jim March

December 7, 2004, 01:24 AM

I'll have access to detailed logs circa Wednesday.

The damn things aren't electronic. They're printouts. Gotta understand, we don't even have the ability to stick a floppy or blank CD in the thing.

But, if there's any reason to suspect funky, then...we have options.

---------------

One thing y'all have to understand: across ALL aspects of this stuff, security absolutely stinks by any modern standard. Diebold will always say "but that's OK, it's all standalone".

We have that glimmer from Alameda County in the Rob Chen memo that these boxes HAVE been routinely stuck on county intranets. That's not the only such glimmer.

But the point is, they will ALWAYS make the claim that any security holes we find are "covered by procedure".

Matt-man

December 7, 2004, 02:25 AM

the DHCP server issued a NACK to the client for the address request

client 0001A8C00100502C070C07 for the address (192.168.2.4)

Taliv is right, but I'll give you some more detail.

There is a DHCP server process running on THIS MACHINE. This DHCP server process is what generated the log event. This isn't an event from firewall software or something warning of a connection attempt. It also is NOT this machine attempting to obtain an address.

(Aside: DHCP servers exist on networks so that client PCs can get addresses automatically, instead of having to have their addresses entered individually on each machine. It makes administration much easier.)

At some point, THIS MACHINE received a DHCP request from ANOTHER MACHINE asking if it could use the address 192.168.2.4. The other machine asked for this address because that was the last address it was given with DHCP, and it assumed that its situation had not changed since its last DHCP exchange. THIS machine denied that request with a NACK, probably because it's configured to use a different address range.

Now, this OTHER machine had to have been connected with Ethernet. DHCP does not enter the picture when you are using a modem connection. PPP and SLIP don't use DHCP. However, that string in the message doesn't look like an Ethernet MAC address - they are usually represented as 12 hex digits (like 00:e0:4c:c6:ab:2d or 00e0.4cc6.ab2d). It's possible that it's the other machine's name - I know Windows will put the machine's hostname in its DHCP requests.

Jim, all Windows log events are timestamped. Do you know when this event was logged? It could literally be years old. You're spinning your wheels for nothing if this was an event logged when the machine was still at the factory. Also check the system time to see if it's accurate, because the log events are stamped by the system clock.

Edit: I went over the thread again. It seems to me that if this machine is a central vote tabulator, and other machines are connected to this machine via Ethernet for the purposes of transferring vote counts, then it makes sense for this machine to be running a DHCP server. (see above note on administration) If this is the case, and another computer is connected to the LAN, it's entirely possible for that computer to request an address outside the DHCP server's address range. This would result in a NACK, which would get logged as above.

BTW, as to why a whois lookup on 192.168.2.4 results in IANA - the Internet Assigned Numbers Authority: IANA has reserved this address block for special purposes, so that's why they show up as the owner in the WHOIS database.

Chas

December 7, 2004, 07:54 AM

Do a tracert to the 192 address, see if it resolves to a "name" of a computer you know. If not start looking at the route and identify each hop in the route. When you identify the last device your route took it will be the device the 192 address/system is attached to. Check all systems connected to that device with IPCONFIG to find your source.

Charlie.
sqldba@comcast.net

Dave Markowitz

December 7, 2004, 10:21 AM

<network geek mode>

Don't bother with the tracert or trying to locate this address online, you won't find it.

IP addresses in the 192.168.x.x range are on PRIVATE, NON-ROUTABLE subnets. Whatever network this machine was on was a private, RFC 1918 compliant network (see http://www.faqs.org/rfcs/rfc1918.html). It may or may not have been connected to the Internet but unless we can look at the logs we won't know (and we still may not know even if we can look at the logs, depending upon what they contain).

Also, do we know what OS the machine in question was running? If in fact a DHCP server was running then it was probably either Windows NT4 Server or 2003 Server. It will be useful to see what other services were running on the box, so if the other system logs are available they would be relevant.

</network geek mode>

<lawyer mode>

How do we know the logs are authentic, especially since they are hard copies? Is there a sufficiently-documented chain of custody linking them to a Diebold machine? Since they are in paper form, how do we know they haven't been altered either before printing or afterwards? Are these copies the first printout or photcopies thereof? Do the original electronic log files exist and where are they?

</lawyer mode>

client32

December 7, 2004, 10:45 AM

I might have missed this already.
What is the MAC address of this machine?

Jim March

December 7, 2004, 11:09 AM

Bev Harris saw the printout happen, I *think*. Even if not, this was a smaller county with little technical competence available - I rather doubt they'd know "what to fake" (or leave out) in a log.

This is NT w/SP6.

Dave Markowitz

December 7, 2004, 02:00 PM

If Bev Harris actually saw the log being printed out it's a start. Did it then go into her custody? If not, then where did it go?

The reason I'm belaboring this point is that if the printout is to be considered evidence then the chain of custody must be established.

secamp32

December 7, 2004, 03:32 PM

http://support.microsoft.com/?kbid=136568

http://support.microsoft.com/kb/q177648/

http://support.microsoft.com/kb/163055/EN-US/

Are other systems are supposed to connect to this machine via a dialup connection? If so then this machine is probably running as a RAS server and is doing DHCP for the machines that are dialing in to it. Maybe someone tried plugging it in to a network. Does it have a network card?

taliv

December 7, 2004, 03:55 PM

evidence of what? that a dhcp server is running?

Jim March

December 7, 2004, 05:03 PM

Evidence that a machine that's supposed to be standalone BY LAW ain't?

woerm

December 7, 2004, 07:10 PM

<Sgt Friday mode>

the facts here Jim, per your 3pm note today are passing strange to this lanlord,

Senior variety...

if this is standalone, why perchance is the device running dhcp?

</Sgt Friday mode>

I'm ranting 'back door, back door'

if the machine was configured on a lan the lease had looonng ago expired.
on any type of dhcp unless the lease was set to do not expire.

the vlan/tunnel protocols are old enough that this thing may be 'calling home'

Evidence that a machine that's supposed to be standalone BY LAW ain't?

Jim, as I asked before,

when were the logs taken?
what cables have you plugged into it?

if it's supposed to be standalone BY LAW, then why have you plugged a cable into it?

regardless of how it's configured, you're not going to get any of those DHCP log entries unless you've got a cable plugged into it.

if you don't have any cable plugged into it now, i guarantee it's not generating those logs now. as was mentioned by several people, the log entries are probably old, from the time the machine was connected to a LAN so that it could collect data, regardless of when the logs were printed.

Matt-man

December 8, 2004, 02:35 AM

The only LEGIT connection to the outside world a GEMS/Diebold box is supposed to make are incoming modem connections via a Digiboard and modem bank. The thing is supposed to take in data from voting terminals (touchscreen, optical scan, doesn't matter) right after the polls close so that "early results" can be fed to the press. Then people hand-carry the memory cards (PCMCIA, basically "electronic ballot boxes") in from the field and they upload those to the GEMS tabulator via PCs connected to Ethernet straight to the GEMS box.

I bet you this machine runs a DHCP server to simplify connecting the ballot upload PCs, and one of the ballot upload PCs requested an address outside the DHCP server's scope. The result is the DHCP NACK which generated this log entry. Simple as that.

Chas

December 8, 2004, 07:48 AM

Dave Markowitz made the comment "not to both with tracert". I beg to differ. If this terminal is connected to a local/private network it will be able to tracert to 192 addresses on the local Ethernet network. Why wouldn't it? However I did see that Jim can't issue commands so this is an invalid option anyways.

Jim. If the logs show that this is happening while the other systems are not connected, sending results from their dial in connections, then it's coming from inside your network, your private, local Ethernet network. If Mr. Markowitz can prove me wrong and you can't do a tacert to the intruding 192 address, simply go to the few other systems at your location and do an ipconfig on each of them to find the ip's assigned. You have no other choice but to find it.

You guys are trying to make this much harder that it needs to be. Simply LAN's issues aren't that hard to troubleshoot.

Jim March

December 8, 2004, 10:43 AM

Taliv: I don't understand why you can't comprehend that we can't do ANYTHING to these things. If we approached the thing with a cable in hand, the elections officials would have us under arrest by the local police in about a red-hot second.

We can't plug *anything* in. We can't load software. We can't so much as stick a blank floppy in.

It gets worse. Most of the elections officials are so paranoid and so techno-turnip stupid they won't let us look at the back end of the machine and see what's plugged in.

Do you understand the situation yet?

Endlessly saying "why are YOU doing this" is just...it's like asking why the sky is paisley.

Arright? Am I getting through here?

Now. IF there is ANY reason in the full logs to suspect wonkiness, then maybe we can change the situation via methods I can't discuss.

anapex

December 8, 2004, 11:03 AM

One thing y'all have to understand: across ALL aspects of this stuff, security absolutely stinks by any modern standard. Diebold will always say "but that's OK, it's all standalone".

We have that glimmer from Alameda County in the Rob Chen memo that these boxes HAVE been routinely stuck on county intranets. That's not the only such glimmer.

But the point is, they will ALWAYS make the claim that any security holes we find are "covered by procedure".

So today for the logs sometime Jim? Sounds great, in the meantime since they're relying on it being standalone and trying to cover things with procedure would you happen to have a copy of the procedures? And if you know too the security level they're trying to hit (should be damned high IMHO)? Configuration procedures would be good too.

BrokenPaw

December 8, 2004, 11:16 AM

Yesterday evening, a total wild-arsed, purely speculative, tinfoil-hat-wearing idea popped into my head. With that disclaimer in mind:

I run an 802.11b wireless LAN in my home. I don't use an access point. Instead, I run the network peer-to-peer, and one of the peers serves DHCP to the rest, so that guest laptops and what-have-you only need to know the network name and the WEP key, and they can get a temporary DHCP address from my network.

So. Is it possible that this box has a wireless network adapter living somewhere within it, serving DHCP, whereby to allow a "war-driving" black-hat with a laptop to gain access to the machine without having to even physically connect to it? Without, in fact, having to necessarily even come inside the building, depending on floorplans?

Just a thought.

-BP

MikeB

December 8, 2004, 11:35 AM

As others have stated the 192.168.*.* is a private subnet. In other words it is not trying to contact a computer on the internet. I'm having a little trouble understanding exactly how and what error you saw that makes you think this machine is trying to contact another machine with the address of 192.168.2.4. Most likely though if this is the "server" in a voting place that has "dumb" terminals connected to it for the actual voting it is just trying to talk to one of it's "dumb" terminals. The logs would clear this up fairly quickly. Also if the machine is running the Routing and Remote Access service and the DHCP service it could be the address that this machine is assigning to the machine that connects through the modem(s) you spoke of earlier.

None of this sounds all that nefarious or suspicious to me.

taliv

December 9, 2004, 12:01 AM

matt-man, yep, that's pretty much what i said earlier.

chas, it's not trying to contact the machine. it's trying to give it an ip address. until DHCP is successful, there's no point in trying to traceroute, because the system won't have an IP address to traceroute to. there may be a box with 192.168.2.4, and he might be able to traceroute to it, but that would essentially be a wild goose chase, and lead you to believe you're talking to the machine in question, when in fact you're talking to a completely different computer. that make sense? nobody is saying (at least i think they're not) that you can't traceroute in an intranet with RFC1918 addressing.

Jim, i'm not trying to be overly confrontational about this. I'm just saying this is a very simple, normal setup and nothing to get excited about. What I can't comprehend is why you haven't shown the log to an election official and asked why the machine is behaving this way.

Jim March

December 9, 2004, 11:15 AM

What I can't comprehend is why you haven't shown the log to an election official and asked why the machine is behaving this way.

We have.

Dude, not only do they not know why this is going on, they have to be hand-held through the process of printing the log. And they don't have clue one about what DHCP is or any other networking concepts.

This is part of the disease we're dealing with here. Diebold has offered very low cost on-site handholding as part of the service agreement. Which means the county election officials don't have to request help from the never-enough-of-'em network geeks within the county's IS department.

So Diebold techs handle...well in some cases, *everything*. Swear to God, we know of situations where they ran the *whole* election, wildly contrary to law. But even when it's not THAT bad, they always handle system installation.

macavada

December 9, 2004, 12:41 PM

This is cool. I never thought anybody would be talking about Diebold machines on THR.

Macavada, yes it is cool that they are talking about Diebold machines on here. But seriously, what the heck are they doing running NT4 on a voting machine?

This is nothing. The guy who set the system up left something turned on that he shouldn't have, which is real easy to do considering Microsoft leaves EVERY FREAKING THING they touch in a compromised state. Why they aren't running some sort of *Nix OS like BSD, or even any flavor of Linux boggles my mind.

But obviously that is neither here nor there. I don't believe it's a problem. But if it's in your power Jim have the whole box replaced. Raise a stink, and the guy who set it up, put his butt in a sling. Just freak out on somebody in charge of that stuff. If they don't have spares then I don't know what to tell you. They obviously are getting paid large bucks. Pork belly companies always do this kind of stuff. Make you shell out six to eight digit figures and give you and inferior product.

FYI: ALL Microsoft OS'es are easily compromised if you have physical access to the machine. Heck if I got a floppy drive, CD-ROM drive or USB port to work with that system is dead within fiveminutes. That's why your monitors are paranoid. They've probably been warned that the system can be hosed easily. If you don't have a lock on the caselid, I can do anything I want.

Now with all that said it's a whole lot easier to manipulate the operator running the machine who knows nothing about, than it is to actually crack the machine. It's called social engineering. Look up Kevin Mitnick sometime. He was arrested for hacking machines he was GIVEN access to.

If it's a DHCP request though it's probably nothing. Again if you suspect any hijinks just raise hell. The roaches always scurry when you flip a flashlight on. Oh and get an old cop (preferably detective, retired, he'll like the action), that you trust who can read faces of the people around you. Your own worst enemies are they of your own household.

macavada

December 9, 2004, 06:49 PM

Member, Board of Directors, Black Box Voting

You're connected with them?! That's really cool. I hear about Black Box Voting on Randi Rhoads all the time.

Ladies and gentlemen this is all related to the ballot and voting. Everything possible needs to be done to run down every thing. Free and honest elections are the responsibility of everyone. Diebold has been shown to lie through their teeth. Everything electronic in the voting arena needs vetted seven ways from sunday.

Mute

December 10, 2004, 02:58 PM

Yes. But we need to separate the cases of incompetent design from the legitimate attempts at fraud. There is a proper response for each.

jnojr

December 10, 2004, 04:37 PM

Yes. But we need to separate the cases of incompetent design from the legitimate attempts at fraud. There is a proper response for each.

Sure, but we need to know what we're talking about, first. I get a kick out of the people who keep talking about DHCP... we don't know what kind of logs are invovled, let alone what they actually say. If/when Jim can post the relevant snippets, we can give a more informed opinion. Until then, this thread is pure speculation, and worth precisely nothing.

Graystar

December 10, 2004, 06:11 PM

Sure, but we need to know what we're talking about, first. I get a kick out of the people who keep talking about DHCP... we don't know what kind of logs are invovled, let alone what they actually say. If/when Jim can post the relevant snippets, we can give a more informed opinion. Until then, this thread is pure speculation, and worth precisely nothing.I can't believe this thread is still going.

We DO know what kind of log is involved. It is the Windows Event Log...specifically, the System Log. The message in question came from the Microsoft DHCP server. Matt-man’s explanation is exactly right. Look at it here:

http://www.thehighroad.org/showpost.php?p=1395103&postcount=54

There is nothing going on here. Jim March just doesn’t understand that two computers connected with a 6ft cable use the same exact networking system as two computers on opposites sides of the world connected through the Internet. He’s obviously not a networking person. If he’s serious about this then he should have a real network security engineer review the entire log, instead of making alarmist posts about messages that HE thinks are trouble. He’s obviously not qualified to make those determinations.

Jim March

December 10, 2004, 07:48 PM

It's been a while since I was in the "business", and I wasn't familiar with the latest error messages. Most of my server admin experience was Netware versus M$ stuff anyways. Once my memory was jogged on what the 192.168.xxxxxxxx block meant, I felt a bit dumb because year, about four+ years back I was dealing with that.

However.

There ain't supposed to be a network cable plugged into this thing except during specific periods. And this error didn't occur during one of those periods. I've seen the certification docs for the procedures to be used on these.

Bev is scanning the logs. I'll be able to post 'em soon. If it's plugged into a LAN cable at all in the period in question, that's an issue. IF we can show that it's cross-wired into the county intranet (even if behind a firewall) that's a MAJOR issue and would certainly be a violation of California law, and probably Florida's.

---------------

I would like to add that Graystar and I have had some serious differences of opinion on other issues. In my view, he's specifically ignored info and when pressed to explain specific points he's claimed he did before when he didn't. I have since made a point of not arguing with him on Constitutional issues. I think he's personally biased against me at this point, and I can assure all that it's mutual, and his biases are going to get in the way here. Bigtime.

So I'm asking him to butt out of this thread, permanently, just as I've pulled out of any discussion of constitutional issues with him. Too much baggage going on and this is too important for that. We have enough people with current and extensive LAN techie experience to catch any flaws once we start digesting the logs.

anapex

December 10, 2004, 10:11 PM

I can't believe this thread is still going.

I can, we still don't have the full log so we can't say for certain what's going on. It could be something bad and it could be something normal, who knows. Personally I'll wait until I see the logs until I make a decision.

Graystar

December 11, 2004, 02:48 PM

I can, we still don't have the full log so we can't say for certain what's going on.You’ll *never* know for certain what’s going on by looking at the system log. It just doesn’t have that kind of information. But as far at the specific log entry is concerned, there is no question here. The error is very specific and only occurs for one event. That’s what Microsoft says.

I would like to add that Graystar and I have had some serious differences of opinion on other issues. In my view, he's specifically ignored info and when pressed to explain specific points he's claimed he did before when he didn't.I’ve always fully explained my positions in all discussions I’ve been a part of. Don’t confuse a lack of explanation with your refusal to read anything that doesn’t follow the beat of your drum.

"A fanatic is one who can't change his mind and won't change the subject."
Winston Churchill

beerslurpy

December 11, 2004, 04:29 PM

Jesus christ people, calm down.

Diebold runs off of windows PCs and an Access database. If you wanted to falsify election results, you dont need to result to complex trickery involving the network. You just edit the results on the machine. There is no reason to suspect wrongdoing in this manner because the entire system itself is insecure.

Computers are routinely given ethernet devices because it is cheap to put them on motherboards. The devices are turned on by default but often not hooked up to anything.

192.168.x.x address space is entirely private. It is not found on the internet. If 192.168.2.4 does not exist on your local network (indeed, if you lack such a network this would be true) then there is nothing to worry about.

Possible causes of this attempt at network access are:
-the diebold programmers were using 192.168.2.4 on their private network for some sort of debugging purpose and having the voting machine talk to that computer so they could ensure that it was working as expected. When the machine is only hooked up to the modem, it fails to connect to any local network machines and the debugging code does nothing.
-something in windows has developed a liking to 192.168.2.4 (possibly when it was hooked up to another local network) and is trying to access some service that no longer exists at that address. The diebold machines are probably using default windows configs which means a lot of services are running and doing their thing. This is harmless but it might involve poking around the local network (sniff for netbeui traffic on a windows network someday lol flood) to find the network services it needs. Windows can be chatty at times.
-a virus that is trying to propagate itself across a local network but is hanging on the first address in its memory because there is no ethernet cable. This is extremely farfetched, and even if the worst case scenario were true, it is 100 pecent unlikely that the virus would know how to tamper with election results or do anything truly naughty. Viruses like to propagate for the most part and rarely target specialized applications directly (except disabling virus scanners, obviously).

It is impossible that it could be:
-an attempt to reach something on the internet. Once you leave your local network, that address is unroutable. The routers will just laugh at you. It has been this way since the dawn of the internet. Certain addresses just arent allowed to be used on the internet.
-spyware. Spyware would probably piggyback on the HTTP transport layer that IE provides/uses because HTTP is passed through firewalls, HTTP is innocuous and HTTP gets lost in the flood of other HTTP traffic. Spyware also tries to reach outside addresses, not local ones.

Zak Smith

December 12, 2004, 02:07 AM

I've only scanned this thread, but..

Realize that IP traffic can be transmitted over modems, you know: PPP and SLIP are transports for TCP/IP over modems.

-z

taliv

December 12, 2004, 02:12 AM

true, zak, but those protocols don't use DHCP for IP address assignment. the DHCP event log is what this discussion is all about.

Risasi

December 12, 2004, 04:45 AM

Gah!!

This is nothing, just shoot the schmuck that set the box up. Or make him turn DHCP Server (If it truly is running) off, then shoot'im. :D

LoneStranger

December 12, 2004, 01:49 PM

Risasi;

The problem with that approach is that it will most likely result in a Toxic Waste spill and you don't even want to be involved in the resulting paperwork much less the cost of cleaning. :rolleyes:

You really need to give more consideration to others when you make suggestions. ;)

Risasi

December 12, 2004, 06:48 PM

Heh,

Being a geek myself, involved with many legal/police/government entities I concur. IT guys generally are full of BS, don't know what they are talking about. Only last 5-7 years in the field before changing job venues, and are pretty arrogant. Yeah call Hazmat if you shoot one, that's for sure.

As for my response, I don't think it's anything. Most computer related problems are nothing. Many times obscure, but small. Then a few are real problems. We have an acronym PEBCAK (Problem Exists Between Chair And Keyboard) In this case it's the geeks running the show. Bad idea. They get power hungry and get off on controlling everything for you. It's just this thread has gone on forever about essentially nothing. Which you may not see from your side of the elephant.

Graystar

December 13, 2004, 01:46 AM

So I'm asking him to butt out of this thread, permanentlyI see...freedom of speech for everyone except those that disagree with you. You sure do know how to demonstrate your support for the Bill of Rights. :rolleyes:

macavada

December 14, 2004, 09:19 PM

Alright Jim, what's going on. I heard Bev today on Randy Rhoads, and she didn't sound like she was shooting straight. Sounds like a lot of people are unhappy with black box voting.

Thumper

December 15, 2004, 03:07 PM

Absolutely hilarious!

Looks like Bev and Co. are putting the hurt on the Dems' desperate fantasies...and using DU contributors' cash to do it!

I didn't donate anything. But the way the interview went, it doesn't sound good.

It doesn't matter if you gave money or were a sympathizer, anyone associated is going to have egg on their face if Black Box Voting starts falling apart based on infighting and leadership problems. :(

By the way, Thumper, did you vote for that scumbag DeLay?

Thumper

December 15, 2004, 05:22 PM

By the way, Thumper, did you vote for that scumbag DeLay?

Yes. I know not only The Scumbag, but his wife Chistine, and especially his daughter Dani, all pretty well.

If you'd like to send him a thank you letter for his remarkable pro gun efforts, you can address it to

Tom Delay
10701 Corporate Drive, Suite 118
Stafford, TX 77477

:neener:

taliv

December 15, 2004, 05:45 PM

macavada/thumper, would one of you mind giving us the cliff notes? apparently, i've been living in a cave lately. i scanned the DU thread and it was all referencing an event nobody seems to explain. what is going on?

macavada

December 15, 2004, 06:02 PM

Nice post, Thumper. That was funny. Thanks.

macavada

December 15, 2004, 06:11 PM

macavada/thumper, would one of you mind giving us the cliff notes? apparently, i've been living in a cave lately. i scanned the DU thread and it was all referencing an event nobody seems to explain. what is going on?

Well, I can't give you a lot of specifics on what was said or not said. I was in my car at the time listening to Randi Rhodes interview Bev Harris. Randi accused Bev of not returning phone calls, and not going to testify before congress when many involved in the whole voting scandal did testify.

Also, it seems there's been a falling out between Bev and another person (Andy?) who was working with her with regard to understanding the voting machines.

Randi started talking about the money she helped raise for Bev's organization, and alluded to how the money was being spent.

Generally, Bev seemed very evasive, and could not give good explanations on what they (BBV) were doing and how they were directing the investigation. No good answers for any of Randi's questions.

If there is anybody on this board that knows what's going on, it is probably Jim March. Jim, can you share what you know?

Thumper

December 15, 2004, 06:13 PM

DU has collectively been going through delusional hystrionics since the Bush win. (It's a huge conspiracy!")

Black Box Voting is an organization that has sworn to get to the bottom of various perceived voting irregularities. Bev Harris is at the forefront of that bunch.

She has been the golden child of DU and the far left lately, evidently garnering quite a bit of cash in her crusade.

Thing is, the only results she's produced so far have been detrimental to the Kerry cause, therefore, cries of "traitor" are being heard. She has a habit of threatening her detractors with lawsuits.

DU is in meltdown over the whole thing. I wish I was a good enough person not to enjoy it so much.

macavada

December 15, 2004, 06:15 PM

Friendship with Delay is a pretty good indicator of your character. :neener:

Thumper

December 15, 2004, 06:48 PM

Mostly just his daughter and wife...of course, if you know them, then you know that that actually further maligns my character. :D

(They're actually pretty good folks.)

There's no denying that ol' Tom has proven helpful in the 2nd A fight. Try to keep in mind that this is a firearms rights board.

But screw the thread veer, lets get back to this:

http://dummiefunnies.blogspot.com/

Read it...it's magically delicious.

Jim March...what's up with your girl?

Chas

January 3, 2005, 02:47 PM

What happened Jim? Did you get the logs?

If you enjoyed reading about "Need help of a NETWORK ADMIN - tech question but trust me, MAJOR political import!!!" here in TheHighRoad.org archive, you'll LOVE our community. Come join TheHighRoad.org today for the full version!